Sunday, August 7, 2011

This is for Informational use only, Abuse it your own risk, you have been warned.
This is one of my favorite interview questions. When ever you ask this question to a normal systems administrator, his answer is a big no, many in security arena also answer the same. I think otherwise. May be

I am dumb………

Ok let us cookup……. it has been a long long time since I cooked something..
let us assume the following.. (IP address is logical addressing and MAC is physical addressing)

We have PC1 with IP 1 and MAC address 1
We have PC2 with IP 2 and MAC address 2

Now let us say PC1 wants to ping PC2.............(yeah on same lan it will ping..you would be thinking what an Idiot explanation we know this.............................. just be patient and go through the post :) When PC1 tries to ping PC2 it does an operation called AND ing to find weather the destination host is on same logical subnet, it is not concerned about the physical network like both are on same switch/HUB etc.
this it does by using Source Mask to destination IP. As they are on LAN so assume them to be in same rangefor now keeping things simple.....
Now to transfer content Echo request with dumb data in it..... PC1 needs to know the physical location of PC2, As the AND ing tells they are on same logical segment, PC1 sends out an ARP broadcast packet........
This packet contains following...
Source IP = IP 1
Source mac = Mac 1
Destination IP = IP 2
Destination MAC = ??????????????? (unknown)
PC 2 which is on wire accepts this packet, processes it and notes down the IP to MAC relationship of PC1 in its table called ARP cache or ARP table, and sends back its mac info to PC 1 so it can also update the same.

To dump the contents of ARP cache or table use the following
ARP -a -----IN windows
ARP ------- In Linux and search for similar for other OS.

Then PC 1 Sends out the data Echo request for ICMP (Ping) to PC 2 on its physical address (MAC address)
Means All communications happen on physical addressing..... not on logical IP's......... To validate what this DUMB is saying, just capture data flowing on wire and see yourself, an ARP request response before real data transfer weather it be FTP, HTTP, DNS, WINS, Telnet etc etc...........

homework done ..... basics understood .... Real fun.........

Now Think from a reverse engineers perspective.......
When PC 1 has IP 1 on the wire, and u try to assign same IP to PC 2, On PC 1 there is warning saying there is a conflict ... and on PC 2 there is warning saying the IP is in use on network... So somehow somewhere in the Stack there is a condition match which pops up these alerts.......
Think of this similar to good jump and bad jump after a key compare in program cracking........ Now how to overcome this ................... Things getting interesting here...........

When you assign PC an IP, to validate it is not already in use on network, the machine sends out a Special ARP request 3 times and waits for the response.... If there is a response, alerts are sounded like IP conflict etc etc
This is called Gratuituos ARP which has following:
Source IP : IP which is to be assigned
Source MAC : Mac of the machine
Dest IP : IP which is to be assigned (means destination is itself)
Dest MAC: ????????????? (unknown)
So if there is a machine on wire with an existant IP it processes the packet and sounds alert as MAC are different for both, and sends a reply back with its MAC so this PC also knows there is a machine already with this IP that i am going to use and sounds its alert.

Smiling now .......... hmmmm a good nice way....... but how to overcome this alerts PC 1 has IP 1 to start and PC 2 has IP 2
now just ping pc 2 from PC 1
and dump your arp catch to know mac of PC 2
once mac is known
open network properties of pc 1 and under network card configuration under advance put the MAC value.
click OK and you are half done... Now two machines on network have same mac but diff IP.
Now just change IP on pc 1 from IP 1 to Ip 2, it will send out a packet as usual but contents would be this
Source IP = IP 2
Source MAC = mac 2
Dest IP = IP 2
Dest MAc = ??????????
even if PC 2 processes the packet, it does not sound strange as MAC in source is same as its mac so no condition met, no alert sound, and stack initialized..... now both machines can communicate to any other machine on the wire, and even surf internet etc etc but cannot communicate amongst themselves.

Hope you understood this

Normal disclaimer, this is for educational use only, please do not use it for malicious intentions..... if you do so , it is at your own risk, you have been warned.............